The UK's G-Cloud programme is a digital marketplace where British government agencies can acquire cloud computing services. The UK has a 'cloud first' policy which requires that agencies purchase cloud based IT services, unless the alternatives are cheaper. The current framework agreement, G-Cloud 11, bans providers from disclosing confidential information without written consent, and information can only be disclosed to the cloud service provider's staff to the extent that it is necessary under the agreement. The supplier has to notify the government agency about security breaches immediately. Unless the law provides otherwise, data has to be deleted 7 years after the framework contract ends. The framework includes a separate schedule addressing the processing of data.
Providers listed on the G-Cloud are not required to have a specific cyber security certification, but the National Cyber Security Centre's Cyber Essentials Certification is recommended. This advises organizations to use a firewall; two factor authentication; Windows Defender to protect against malware; whitelisting (having an admin restrict installed applications to a pre-approved list); and use applications that allow for sandboxing - or the running of the software in an isolated environment with limited access to network data.